The Register® — Biting the hand that feeds IT

Feeds

NYT scareware scam linked to click fraud botnet

Ukrainian fan club cheer on all sorts of mischief

By John Leyden, 18th September 2009
  • print
  • alert

Agentless Backup is Not a Myth

A botnet, initially run through compromised servers in the Bahamas, has been blamed for the recent upsurge in scareware scams.

Researchers from security firm Click Forensics have tied the Bahama botnet to a recent attack that resulted in pop-up ads punting rogue anti-virus software appearing via the New York Times website. The scam attempted to trick surfers into purchasing software called Personal Antivirus by falsely warning that their systems were infected with non-existent threats.

Personal Antivirus, far from offering a clean-up utility as advertised, infected compromised systems with a Trojan. Click Forensics said this Trojan is distributed by a gang of cybercrooks in the Ukraine called the Ukrainian fan club, who are also heavily involved in click fraud.

"We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street," Click Forensics reports. "We’re pretty sure the Bahama botnet is related to the Ukrainian fan club and the NYTimes.com scareware because they each phone back to a bogus 'Windows protection' domain located on the same IP address."

Compromised hosts in the Bahama botnet generate auto-generated clicks as part of a click fraud scam that offers an additional income for crooks. This click fraud traffic is carefully designed to elude detection by search engines and ad networks by mimicking genuine searches. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines," Paul Pellman, chief exec of Click Forensic, explained.

Click Forensics first detected the Bahama botnet when they discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas. Since then the zombie network has been reprogrammed to redirect traffic through other intermediate sites hosted in the Netherlands, US and the UK. The click fraud carried out by the botnet is explained in more detail in the video (below).

More on the Ukrainian "fan club" and its involvement in the NYT malvertisement campaign can be found in a blog post by independent security researcher Dancho Danchev here. ®

Steps to Take Before Choosing a Business Continuity Partner

Send Corrections

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
136
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
60
Internet fraud still stings suckers
Australians twice as gullible as Americans
36
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17